CVE-2026-28673

xiaoheiFS is a self-hosted financial and operational system for cloud service businesses. In versions up to and including 0.3.15, the standard plugin system allows admins to upload a ZIP file containing a binary and a `manifest.json`. The server trusts the `binaries` field in the manifest and executes the specified file without any validation of its contents or behavior, leading to Remote Code Execution (RCE). Version 0.4.0 fixes the issue.

CVSS v3 7.2 HIGH

7.2^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/danvei233/xiaoheiFS/security/advisories/GHSA-4vw4-5wmh-7x4v	Exploit Vendor Advisory
https://github.com/danvei233/xiaoheiFS/security/advisories/GHSA-4vw4-5wmh-7x4v	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:danvei233:xiaoheifs:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-03-18 01:16

Updated : 2026-03-23 17:58

NVD link : CVE-2026-28673

Mitre link : CVE-2026-28673

CVE.ORG link : CVE-2026-28673

JSON object : View

Products Affected

danvei233

xiaoheifs

CWE

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CWE-434

Unrestricted Upload of File with Dangerous Type

{"id": "CVE-2026-28673", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.2}]}, "published": "2026-03-18T01:16:05.117", "references": [{"url": "https://github.com/danvei233/xiaoheiFS/security/advisories/GHSA-4vw4-5wmh-7x4v", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/danvei233/xiaoheiFS/security/advisories/GHSA-4vw4-5wmh-7x4v", "tags": ["Exploit", "Vendor Advisory"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-78"}, {"lang": "en", "value": "CWE-434"}]}], "descriptions": [{"lang": "en", "value": "xiaoheiFS is a self-hosted financial and operational system for cloud service businesses. In versions up to and including 0.3.15, the standard plugin system allows admins to upload a ZIP file containing a binary and a `manifest.json`. The server trusts the `binaries` field in the manifest and executes the specified file without any validation of its contents or behavior, leading to Remote Code Execution (RCE). Version 0.4.0 fixes the issue."}, {"lang": "es", "value": "xiaoheiFS es un sistema financiero y operativo autoalojado para negocios de servicios en la nube. En versiones hasta la 0.3.15 inclusive, el sistema de plugin est\u00e1ndar permite a los administradores subir un archivo ZIP que contiene un binario y un `manifest.json`. El servidor conf\u00eda en el campo `binaries` en el manifiesto y ejecuta el archivo especificado sin ninguna validaci\u00f3n de su contenido o comportamiento, lo que lleva a la ejecuci\u00f3n remota de c\u00f3digo (RCE). La versi\u00f3n 0.4.0 soluciona el problema."}], "lastModified": "2026-03-23T17:58:19.487", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:danvei233:xiaoheifs:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D0180A96-D887-4385-AC4F-58ECEAAC15D3", "versionEndExcluding": "0.4.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}